我正在致力於一個方向服務,其中用戶輸入地址和地址,並獲取路線表(提供轉彎信息)以及顯示路線的地圖。用戶輸入,PHP,Javascript和安全
下面是完整的源代碼(getdirections.php):
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Directions</title>
<style>
* { font-family: Verdana; font-size: 96%; }
label { width: 15em; float: left; }
label.error { display: block; float: none; color: red; vertical-align: top; }
p { clear: both; }
.submit { margin-left: 12em; }
em { font-weight: bold; padding-right: 1em; vertical-align: top; }
</style>
<script src="jquery-1.3.1.js" type="text/javascript">
</script>
<script src="http://maps.google.com/maps?file=api&v=2&sensor=false& amp;key=[Your Key Here]"
type="text/javascript">
</script>
</head>
<body onunload="GUnload()">
<div id="container">
<div id="directform">
<form id="direct" action="getdirections.php" method="get">
<p><label for="loc1">From Here:</label>
<input id="loc1" type="text" name="location1" class="required" /></p>
<p><label for="loc2">To Here:</label>
<input id="loc2" type="text" name="location2" class="required" /></p>
<p><input type="submit" value="Search" /></p>
</form>
</div>
<?php
function filterInput ($input) {
$replacement = ',';
$input = preg_replace('/(\n|\r)+/', $replacement, $input);
$replacement = " ";
$input = preg_replace('/(\t)+/', $replacement, $input);
$inputarray = explode(' ', $input);
foreach ($inputarray as $i => $value) {
$ch = '';
if ($value[strlen($value)-1] == ',') {
$ch = ',';
$value = substr($value, 0, -1);
}
$value =
preg_replace('/^(\&|\(|\)|\[|\]|\{|\}|\"|\.|\!|\?|\'|\:|\;)+/', "", $value);
$inputarray[$i] =
preg_replace('/(\&|\(|\)|\[|\]|\{|\}|\"|\.|\!|\?|\'|\:|\;)+$/', "", $value);
$inputarray[$i] = $inputarray[$i].$ch;
}
$filteredString = implode(" ", $inputarray);
return $filteredString;
}
?>
</div>
<table class="directions">
<tr>
<td valign="top">
<div id="directions" style="width: 100%"></div>
</td>
</tr>
<tr>
<td valign="top">
<div id="map_canvas" style="width: 250px; height: 400px"></div>
</td>
</tr>
<td valign="top">
<div id="directions_url"></div>
</td>
</table>
<noscript><b>JavaScript must be enabled in order for you to use Google Maps.</b>
However, it seems JavaScript is either disabled or not supported by your browser.
To view Google Maps, enable JavaScript by changing your browser options, and then
try again.
</noscript>
<script type="text/javascript">
// This programming pattern limits the number of global variables
// Thus it does not pollute the global namespace
// for_directions is the only global object here.
for_directions = function(){
// The map is loaded into the div element having id specified by mapid
// private variable
var mapid = "map_canvas";
// The direction listing is loaded into the div element having id specified by directionsid.
// private variable
var directionsid = "directions";
// From here
// private variable
var location1;
// To here
// private variable
var location2;
// The functions (init and addevent) are public methods of for_directions object
return {
// Called on loading of this page
// public method
init: function(){
location1 = "<?= filterInput($_GET['location1']) ?>" || 0;
location2 = "<?= filterInput($_GET['location2']) ?>" || 0;
var directions = document.getElementById(directionsid);
directions.innerHTML = "Please check the address and try again";
if (GBrowserIsCompatible() && location1 != 0 && location2 != 0){
mapAddress(location1, location2);
}
},
// This method is cross browser compliant and is used to add an event listener
// public method
addEvent:function(elm,evType,fn,useCapture){
if(elm.addEventListener){
elm.addEventListener(evType, fn, useCapture);
return true;
} else if (elm.attachEvent) {
var r = elm.attachEvent('on' + evType, fn);
return r;
} else {
elm['on' + evType] = fn;
}
}
};
// Called from init
// private method
function mapAddress (address1, address2){
var geocoder = new GClientGeocoder();
var directions = document.getElementById(directionsid);
var i = 0;
geocoder.getLatLng(address1, function(point1){
if (point1){
geocoder.getLatLng (address2, function(point2){
if (point2){
getDirections();
} else {
directions.innerHTML = "Please check the address and try again";
}
});
} else {
directions.innerHTML = "Please check the address and try again";
}
});
}
// Called from mapAddress to load the directions and map
// private method
function getDirections(){
var gmap = new GMap2(document.getElementById(mapid));
var gdir = new GDirections(gmap,document.getElementById(directionsid));
gdir.load("from: " + location1 + " to: " + location2,
{ "locale": "en_US" });
generateURL();
}
function generateURL(){
var url = "http://maps.google.com/maps?saddr=";
url += location1;
url += "&daddr=";
url += location2;
var a = $("<a></a>").attr('href',url);
$(a).text("Google Maps");
$("#directions_url").append(a);
}
}();
// The(); above results in the function being interpreted by the browser just before the page is loaded.
// Make for_directions.init as the listener to load event
// Note that the init method is public that why its accessible outside the object scope
for_directions.addEvent(window, 'load', for_directions.init, false);
</script>
</body>
</html>
如果你嘗試在你的系統它的名字作爲getdirections.php此代碼。唯一需要更改的是Google Maps API密鑰。你可以得到鑰匙here。
一旦生成放在關鍵參數的鍵(複製到下面以方便行):
<script src="http://maps.google.com/maps?file=api&v=2&sensor=false& amp;key=[Your key here]"
type="text/javascript">
正如從上面的代碼中看到的那樣,我打通PHP輸入和做在Javascript的處理。現在,我不希望用戶放棄任何類型的輸入(javscript,危險的HTML等)。我嘗試在PHP中使用urlencode函數。但是,編碼的用戶輸入不被JavaScript代碼接受,即使輸入正確也不會失敗。
作爲解決此問題的一種解決方法,我在PHP中編寫了一個filterInput函數,它將替換/刪除某些字符並阻止用戶試圖通過輸入嘗試執行Javascript代碼的任何嘗試。
這工作得很好。但是,當用戶嘗試提供惡意輸入時,比如說「+ alert(」hello「)+」,包括開始和結束引號時,filterInput函數會剪切前導和尾部引號,結果字符串如下所示:
+alert("hello")+
當下面的代碼執行現在:像
location1 = "<?= filterInput($_GET['location1']) ?>" || 0;
PHP substitues其返回值的函數調用如下:在S的
location1 = "+alert("hello")+" || 0;
執行與上面的行一起發生錯誤(錯過;之前的聲明)
請注意,如果我沒有修剪引號,並直接使用$ _GET ['location1']我會得到。
location1 = ""+alert("hello")+"" || 0;
alert(「hello」)會被執行!!
所以,我正在修復。如果我過濾輸入,我在某些用戶輸入上得到一個javascript錯誤,如果我不過濾輸入,我允許用戶執行任何類型的JavaScript。
我的問題,然後是:
- 什麼是處理在網絡上輸入正確的和安全的方式?
- 這種用戶輸入是否跨語言(從PHP到Javascript)可以嗎?
- 除了用戶能夠執行JavaScript之外,其他類型的安全威脅所做的是這段代碼是否容易受到攻擊?
感謝您的閱讀!
請幫忙。
爲什麼你關心用戶在自己的會話中執行任意的JS?無論如何,他們可以用Firebug等來做到這一點。常見的攻擊媒介將包括對服務器端進程(包括PHP和任何數據庫服務)或其他用戶會話(包括XSS攻擊)的攻擊。如果人們想要自己的瀏覽器,爲什麼要阻止他們?事實上,在這種情況下,我沒有看到任何服務器端處理的真正需求 - 您可以將init函數作爲onClick處理程序運行,並使用JS獲取表單值。 – steamer25 2009-07-08 18:39:32